The Iceland Data Protection Authority announced that it fined Primary Care of the Capital Area $36,000 for processing personal data in the common health register system without properly meeting the requirements of the Medical Register Act. Its investigation showed that Primary Care hadn't been authorized to merge its health care system with those of other parties.

The Latvian data protection authority Wednesday advised organizations on gaps it sees in privacy policies and how to fix them. One problem, the Data State Inspectorate said, is that privacy policies tend to be posted on a website in a way that makes them hard to find and access. Another is that organizations often use standardized or copied privacy policies instead of adapting them to their own unique business.

X is challenging a decision in the Berlin Regional Court that it said Tuesday "egregiously undermines our fundamental right to due process and threatens the privacy rights and free speech of our users."

Public administrations must take data protection by design into account in public contracts and that requirement isn't fulfilled by simply including generic clauses regarding General Data Protection Regulation (GDPR) obligations, Spain's data protection agency said Wednesday.

The U.K. Information Commissioner's Office (ICO) published its Tech Horizons 2025 report, identifying privacy and data protection implications of four emerging technologies: (1) connected transport, (2) quantum sensing and imaging, (3) digital diagnostics, therapeutics and healthcare infrastructure (such as AI-assisted diagnosis) and (4) synthetic media (partly or wholly generated using AI/machine learning) and its identification and detection.

A high school in Romania breached the General Data Protection Regulation by processing personal data through a video surveillance system whose monitors were illegally and excessively installed in the principal's office, giving his personal phone access to images and audio captured in hallways, the stairwell and bathrooms. The Romanian National Supervisory Authority for Personal Data Processing announced results of its investigation Feb. 7.

The EU needs a consistent approach to age assurance, the European Data Protection Board (EDPB) said in a statement Wednesday after its Feb. 9 plenary. It set out specific guidance and high-level principles arising from the General Data Protection Regulation (GDPR) that it said should be considered when personal data is processed in the context of age verification.

The European Data Protection Board (EDPB) Tuesday discussed enforcement activities concerning the DeepSeek AI chatbot and agreed to extend the scope of its ChatGPT task force to AI enforcement, a spokesperson emailed. The task force was created to encourage cooperation and exchange information on possible enforcement actions conducted by data protection authorities (DPAs) on ChatGPT.

Fallout from the U.K. government's decision to force Apple to make available encrypted cloud data continued over the weekend. Internet Society Senior Director of Internet Trust Robin Wilton posted on LinkedIn that "the consensus among cybersecurity experts is clear: 'there's no way to break encryption without making everyone more vulnerable.'"

Several parts of the U.K. Data (Use and Access) legislation (DUA) require further clarification from the government, Information Commissioner John Edwards told the House of Commons Monday. DUA was introduced in Parliament last October and has now completed its passage through the Lords, "where it has been subject to a number of amendments and significant debate," he said.